The Orbtrace debugger hardware connected to a development board t hrough a 20-pin ribbon cable. The development board has a green LED shining.

ORBTrace Effort: Open Tool For Professional Debugging

There are some fairly powerful debugging facilities available on today’s microcontrollers — if your code crashes mysteriously, chances are, there’s a debugging interface that could let you track down the exact crash circumstances in no time. Sadly, debugging tools for these powerful interfaces tend to be prohibitively expensive and highly proprietary, thus, not friendly for hobbyists. Now, there’s a community-driven high-capability debugging platform called ORBTrace, brought to us by [mubes] and [zyp].

With parallel trace, you get a constant stream of consciousness, every exact instruction executed by your CPU. [mubes] and [zyp] set out to tap into the power of parallel trace debugging for Cortex-M processors. and the ORBTrace project was born. Relying on the Orbuculum project’s software capabilities, this FPGA-based debugger platform can do parallel trace and the more popular high-speed SWO trace – and way more. ORBTrace has the potential to grow into a powerful debug helper tool, with enough capabilities for anyone to benefit. And of course, it’s fully open-source.

The ORBTrace board, with a FPGA in the center of it, a USB-C connector on the left, and two IDC debug connectors on the right (one ten-pin and one twenty-pin)The ORBTrace platform has plenty of untapped potential. There’s the battle-tested JTAG and SWD that you can already use with all the open tools you could expect. However, there’s also plenty of available resources on the FPGA, including even a currently unutilized RISC-V softcore. If you wanted to add support for any other family of devices to this debugger, sky’s the limit! And, of course, there’s cool software to go with it – for example, orbmortem, which keeps a ring buffer of instructions in memory and shows you the last code executed before your CPU stops, or orbstat, a tool for profiling your embedded code.

If you’re looking to purchase effortless feature parity with Segger or Lauterbach devices, the ORBTrace doesn’t promise that. Instead, it’s an open debugging toolkit project, with hardware available for purchase, and software just waiting for you take control of it. This project’s community hangs out in the 1BitSquared discord’s #orbuculum channel, and gateware’s advancing at a rapid pace – welcoming you to join in on the fun.

ORBTrace is a powerful tool for when your goals become large and your problems become complex. And, being a community-driven experimental effort, we’ll undoubtedly see great things come out of it – like the Mooltipass project, originally developed by Hackaday community members, and still going strong.

Customizing Xiaomi ARM Cortex-M Firmware

This hack was revealed a while ago at DEFCON26, but it’s still a fascinating look into vulnerabilities that affect some of the most widely used IoT devices.

[Dennis Giese] figured out a way to modify ARM Cortex-M based firmware for use in customizing the functionality of devices or removing access to the vendor. Obviously, there are more malicious activities that can be done with this type of hack, as with any exploits of firmware, but they are (also) obviously not condoned.

The talk goes into the structure of Xiaomi ecosystem and products before going into a step-by-step approach to binary patching the firmware. The first step was to acquire the firmware, either by dumping SPI flash memory (using JTAG, SWD, or desoldered Flash pins) or intercepting traffic during a firmware update and downloading the firmware. There’s also a possibility of downloading the firmware using a URL, although this can be more difficult to find.

The firmware can then be parsed, which first requires the format to be converted from a proprietary format to and ELF file. This conversion makes it easier to load into IDA pro, and gives information on the segments of the firmware and its entry point. Python tools luckily exist for converting binary files to ELF, which simplifies the task.

After loading the ELF file into the disassembler, you’ll want to find the key memory area, denoted by “TAG_MAC”, “TAG_DID”, and “TAG_KEY” in the example firmware (for storing the MAC address, device ID, and key). In order to prepare the firmware for Nexmon – a software that supported C-based firmware binary patching for ARM Cortex-A and ARM Cortex-M binaries – you’ll need to partition some space in the memory for patches and know the function names and signatures for the firmware.

The latter is done by doing a difference comparison in the disassembler between an unknown executable and the example executable.

With the necessary information gathered, you can now use Nexmon to make your modifications. The fact that this can be done for smart devices at home means that smart devices you acquire – especially those partitioned by others – may contain malicious code, so take care when handling used devices.

Continue reading “Customizing Xiaomi ARM Cortex-M Firmware”